Comments on: Typical pre-alpha bugginess, or embarrassing beginner mistakes?http://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes/
Comments on MetaFilter post Typical pre-alpha bugginess, or embarrassing beginner mistakes?Fri, 17 Sep 2010 08:14:45 -0800Fri, 17 Sep 2010 08:14:45 -0800en-ushttp://blogs.law.harvard.edu/tech/rss60Typical pre-alpha bugginess, or embarrassing beginner mistakes?http://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes
Late yesterday the much-hyped "privacy aware, personally controlled" <a href="http://www.joindiaspora.com/">Diaspora</a> social network platform (<a href="http://www.metafilter.com/91889/Diaspora-An-Open-Source-Facebook">discussed previously</a>) published its open-source <a href="http://www.joindiaspora.com/2010/09/15/developer-release.html">developer release</a>. "Feel free to try to get it running on your machines and use it," the team urged, "but we give no guarantees. We know there are security holes and bugs, and your data is not yet fully exportable." The Register's initial report is less than rosy: <a href="http://www.theregister.co.uk/2010/09/16/diaspora_pre_alpha_landmines/">Code for open-source Facebook littered with landmines</a>post:www.metafilter.com,2010:site.95796Fri, 17 Sep 2010 08:10:54 -0800The Winsome Parker LewisdiasporafacebooksocialnetworkprivacysecuritysoftwarebugsrubydeveloperreleaseprealphaopensourceBy: middleclasstoolhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286217
It's a developer release of a brand-new, large-scale project by a relatively small and young team. Isn't one of the points of open-sourcing to find and fix bugs quickly without needing the deep pockets of a corporation?comment:www.metafilter.com,2010:site.95796-3286217Fri, 17 Sep 2010 08:14:45 -0800middleclasstoolBy: mikehhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286225
I can see both sides of this: this group really wants to get something out there quickly to encourage enthusiasm and community involvement. The real important bits are the server-to-server communication, federation of profile data, and data formats. The other, possibly more important part, is security.
Really, if they don't show the sort of professional coding approach to the infrastructure of the code that's necessary in regard to security and scalability, they're going to crash into the ground and contributors are going to wonder where their money went.
All that said, complaining that the code is vulnerable to widespread database server attacks is bullshit because that's not an issue with this project, it's an issue with pretty much anything.comment:www.metafilter.com,2010:site.95796-3286225Fri, 17 Sep 2010 08:17:37 -0800mikehBy: demiurgehttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286227
Wait, you mean a pre-alpha code release of an open-source software project has holes that random security experts interested in the project point out how to fix? The developers are probably pretty happy about this.comment:www.metafilter.com,2010:site.95796-3286227Fri, 17 Sep 2010 08:19:07 -0800demiurgeBy: mathowiehttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286230
Seems like The Register is taking pot shots at an easy (and already admittedly early release project) target.comment:www.metafilter.com,2010:site.95796-3286230Fri, 17 Sep 2010 08:20:34 -0800mathowieBy: Artful Codgerhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286236
seconding middleclasstool - the desired outcome of a pre-alpha "release" is to have a larger team find and maybe help fix stuff.
The wisdom of doing a "public" developer release at this point is of course questionable. I would have opted for a more limited test cycle at this point... but maybe this way will get more fixed, faster, while still maintaining some buzz about the project.comment:www.metafilter.com,2010:site.95796-3286236Fri, 17 Sep 2010 08:24:42 -0800Artful CodgerBy: usonianhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286247
The problem was that they announced the project with much fanfare earlier this year, thus setting expectations that the release (which, to their credit, happened around the time they said they would) would be something huge and momentous.
If they had kept quiet and suddenly, unexpectedly released this ambitious platform out of the blue, rough edges would be par for the course and they wouldn't have any hype to live up to.
(I wish the Diaspora team nothing but the best of luck, and plan on checking out the code as soon as I have some spare moments.)comment:www.metafilter.com,2010:site.95796-3286247Fri, 17 Sep 2010 08:27:10 -0800usonianBy: The Winsome Parker Lewishttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286248
In fairness, as the OP, I agree that only good can come from open-sourcing the project and inviting security pros to poke holes in it. I'm not a security pro (or a Ruby developer) so all I can do is parrot what the real experts are saying. And that seems to be that Diaspora's security flaws aren't exactly deep, arcane weaknesses, but rather freshman-level basics. Not that they can't be fixed, but with all the hype and fundraising behind this project I expected something a little more overtly security-oriented by this stage. They kept telling everyone that the project design was oriented with those concerns <em>at its core</em>, which doesn't seem to jibe with what's been released.
Anyway, I desperately want the project to be successful and remain optimistic that all this scrutiny will tighten the bolts a good deal.comment:www.metafilter.com,2010:site.95796-3286248Fri, 17 Sep 2010 08:28:07 -0800The Winsome Parker LewisBy: Kadin2048http://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286250
It's a <em>pre-alpha developer release</em>, not general availability. The Register piece is out of line and really nothing but snarkbait. I know the Reg loves skewering sacred cows, but this was more like kicking a puppy.
I would much rather have the developers release early and often, let the public see the code in development warts and all, than encourage them to seal themselves off until it's somebody's definition of perfect ... and risk never getting anything out at all.
To everyone except the Register and a few must-always-be-contrarian pundits, this is how the OSS development cycle is supposed to work. A couple of people hack away and produce something and toss it to the slavering masses, who tear it apart. They take the resulting feedback and hack on it some more, and try again — hopefully letting it survive in the wild a little longer. Rinse, repeat ... until you get to a point where the cycle of exploit-discovery is slow enough to allow people to use the software meaningfully before each version needs to be upgraded.
I'm frankly quite impressed that the Diaspora guys have managed to turn out anything at all. I was feeling like there was a big risk that they'd soak up all that funding and go into <strike>Duke Nukem Forever</strike> Sonic X-Treme mode.comment:www.metafilter.com,2010:site.95796-3286250Fri, 17 Sep 2010 08:29:32 -0800Kadin2048By: delmoihttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286254
<i>It's a developer release of a brand-new, large-scale project by a relatively small and young team. Isn't one of the points of open-sourcing to find and fix bugs quickly without needing the deep pockets of a corporation?</i>
Yeah. But these guys ended up becoming so high-profile thanks to the $200k they raised. They should have used the money to hire real developers. Oh well. If they'd raised the $10k they were asking for, I don't think they'd be getting much flack.
I'm interested in reading some sort of rundown about how the system actually works, though. If it's a suitable basis to expand, that could be good.comment:www.metafilter.com,2010:site.95796-3286254Fri, 17 Sep 2010 08:30:42 -0800delmoiBy: delmoihttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286255
<i>The wisdom of doing a "public" developer release at this point is of course questionable. I would have opted for a more limited test cycle at this point</i>
And how exactly would that have worked with an OSS platform?comment:www.metafilter.com,2010:site.95796-3286255Fri, 17 Sep 2010 08:32:12 -0800delmoiBy: kuattohttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286258
Diaspora team, if you are listening, please stop all focus on the user interface and put your energy into facebook integration (pull data out!, embrace and extend!) and the general mechanics of the diaspora network.
Let the ecosystem develop the GUI. It's just a facebook knockoff anyways, and I'm sure there are plenty of people out there chomping at the bit who can write a decent interface in a weekend.
Also, If I can yell at you a bit more, don't innovate upon the current social networking paradigm. Your efforts are better spent on turning out server code.comment:www.metafilter.com,2010:site.95796-3286258Fri, 17 Sep 2010 08:33:16 -0800kuattoBy: tommaszhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286265
The success or failure of a social network isn't necessarily found in how secure it may be, it's in how popular it is. Given this is supposed to be a <em>developer</em> release, and not one intended for regular users, the security flaws may not be fatal assuming they're gone by the time it goes into public beta. Still, it's not the kind of debut you want given their intentions.comment:www.metafilter.com,2010:site.95796-3286265Fri, 17 Sep 2010 08:36:09 -0800tommaszBy: acbhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286271
For a moment, I thought it was one of Orlowski's "freetard"-bashing pieces. He seems to be the Bill O'Reilly of technology journalism.comment:www.metafilter.com,2010:site.95796-3286271Fri, 17 Sep 2010 08:38:31 -0800acbBy: mccarty.timhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286278
Don't write it off yet. I'm not sure that it's going to work out, since people tend to flock to the social network with the most of their friends on it. Video phone dilemma and all that. And I hate to say it, but I don't think anyone outside of tech-savvy people really think about security of what they upload to social networks. They just don't appreciate that there's marketers and engineers on the other side playing with their data, and that they're being used as a vector to make money even though they haven't spent money.
But still, it's silly to criticize something so new. Early versions of everything sucks (with the notable exception of Minecraft). Then, via Sturgeon's Law, 90% of things tend to continue to suck.
And even if it does end up being a network for nerds, that's still a pretty good social network in my book.comment:www.metafilter.com,2010:site.95796-3286278Fri, 17 Sep 2010 08:42:17 -0800mccarty.timBy: shponglesporehttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286286
<a href="http://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286248">TWPL</a>: <i>They kept telling everyone that the project design was oriented with those [security] concerns at its core, which doesn't seem to jibe with what's been released.</i>
Their concern is more about privacy than security. They're engineering a system that doesn't inherently hand over all your data to a single entity, so it's still a big win in that regard, even if the security is weak. Obviously "privacy" doesn't do you much good in the security is so bad that it's trivially easy to steal your data, but a lack of security reflects a lack of technical expertise, not a lack of commitment to the stated goals of the project.comment:www.metafilter.com,2010:site.95796-3286286Fri, 17 Sep 2010 08:45:06 -0800shponglesporeBy: kuattohttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286288
Also, the interest generated by this project in hacker society is a good indication that the balance of social capitol is straining heavily at its bonds. It's only a matter of time before this project or something like it makes itself known.comment:www.metafilter.com,2010:site.95796-3286288Fri, 17 Sep 2010 08:45:43 -0800kuattoBy: The Winsome Parker Lewishttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286292
I just realized the developer release wasn't yesterday, it was the day before. I seem to have lost an entire day in the craziness of work yesterday. Sorry for the inaccuracy, carry on.comment:www.metafilter.com,2010:site.95796-3286292Fri, 17 Sep 2010 08:48:58 -0800The Winsome Parker LewisBy: RobotVoodooPowerhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286295
Call me old-fashioned, but I like to see some semblance of specification or documentation (and perhaps like, community involvement?) on a system that's supposed to replace the Web.comment:www.metafilter.com,2010:site.95796-3286295Fri, 17 Sep 2010 08:49:54 -0800RobotVoodooPowerBy: acbhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286302
As someone who has developed web apps, I can vouch for new sites tending to be full of holes when they start off with. I once worked on a team developing a web application, which we thought was reasonably secure. Then we called in a penetration testing team, and they found holes one could drive a lorry through. (Mostly things like inputs not being validated and allowing malicious users to inject JavaScript into a page.) Having said that, closing those holes was fairly straightforward.
Anybody who expected the pre-alpha Diaspora code to be secure enough for actual use (which the developers have not set it up for) is probably unfamiliar with the realities of software development.comment:www.metafilter.com,2010:site.95796-3286302Fri, 17 Sep 2010 08:53:48 -0800acbBy: fatbirdhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286304
The Register is a tabloid. It's yellow journalism at its most goldenrod. Citing them is like citing Drudge.comment:www.metafilter.com,2010:site.95796-3286304Fri, 17 Sep 2010 08:55:15 -0800fatbirdBy: Threeway Handshakehttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286324
Welp, their pre-alpha OSS isn't perfect and is vulnerable to the vulnerabilities of its dependencies! Unbelievable. Time to pack it all up and move onto the next big thing.comment:www.metafilter.com,2010:site.95796-3286324Fri, 17 Sep 2010 09:03:29 -0800Threeway HandshakeBy: lupus_yonderboyhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286353
&gt; Yeah. But these guys ended up becoming so high-profile thanks to the $200k they raised. They should have used the money to hire real developers.
Spoken by someone who hasn't done real development, I assume!
$200K will get you about two developer-years - and that's assuming they work cheap hoping for IPO money later. It's not just that "real" developers cost over $100K a year in raw salary, but then you have to give them servers, infrastructure and perhaps even a place to work.
I thought this project was overhyped, but now I'm impressed that they have reasonable code to show so quickly - I don't know Ruby (even more, I wish they'd written in Python) but word is that the design is reasonable.
Get it out, get people to beat on it, redesign. Find the horrible errors as early as possible before you put concrete over them. Short iterations!comment:www.metafilter.com,2010:site.95796-3286353Fri, 17 Sep 2010 09:13:40 -0800lupus_yonderboyBy: unSanehttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286370
It's not even a freakin' alpha, just a dev branch. Of course it has holes. The Register is the most braindead tech site on the planet.comment:www.metafilter.com,2010:site.95796-3286370Fri, 17 Sep 2010 09:19:24 -0800unSaneBy: philip-randomhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286404
<em>Also, If I can yell at you a bit more, don't innovate upon the current social networking paradigm.</em>
People love Facebook. Not out of any fondness for the people behind it; simply because, privacy issues etc aside, it works and it's easy and there's already gazillions of people out there who "get it". So anything that's going to replace it has got to start here, with no excuses, no qualifications.
As for diaspora, count me in with the "want it to be a success" crowd, albeit with one big concern. It seems very strange that this thing would start as a hype (that is, some twenty-somethings with no particular track record saying, "Hey, we're gonna do this amazing thing that everybody wants done, buy our t-shirts."), versus what usonion said ...
<em>If they had kept quiet and suddenly, unexpectedly released this ambitious platform out of the blue, rough edges would be par for the course and they wouldn't have any hype to live up to.</em>
So my paranoid mind says: "Facebook is probably behind this in some secret, nefarious way, a deliberate failure that will only send folks running back to them."
Whereas my pronoid says: "Someone far cooler than Diaspora is behind Diaspora. They want this wobbly, kids stuff to stumble around, do embarrassing things, get noticed, and in doing so raise the notion that Facebook is not a be-all end-all. Meanwhile, the Real Thing is being developed deep, deep in the hacker underground, such that the first most of us actually hear about it, it will be a kickass, hard-as-nails dragonslayer ... maybe set for serious BETA around the time that Facebook movie gets nominated for 14 Academy Awards."comment:www.metafilter.com,2010:site.95796-3286404Fri, 17 Sep 2010 09:29:31 -0800philip-randomBy: geoff.http://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286413
<i> It's not just that "real" developers cost over $100K a year in raw salary, but then you have to give them servers, infrastructure and perhaps even a place to work.</i>
Heatlh care, operations, etc. Plus who wants to work for a startup with only $200k? I think the best way to approach this is do all you can then figure out what sections of the project will take a lot of time, then dole out contracts based on that. If you can define the problem well enough, it should be easy to figure out what an experienced developer would be able to tackle.
I have to disagree with not putting effort into the UI. For 99% of open source projects this is absolutely true, but they're just creating a peer-to-peer client and copying the Facebook design. These things are known quantities, a terrible user experience will absolutely sink this product. There's no incentive to put up with bad design.
If they really wanted this take off, they'd design it so you could easily share files. Just use Pirate Bay or an existing tracker and make incredibly simple for you to not only see, but download your friend's music, movies, etc. Don't bundle it in the official release, but if you make it possible it'll show up somewhere else. Have this sitting atop a lightweight torrent client and you're golden. Most people don't know or care about the underlying technology, they just know it as the application you can use to find movies your friend's like.
Also Ruby? I didn't think Ruby did well under heavy loads? Didn't Twitter have a ton of problems? Maybe it is not such a big deal and if it takes off someone smart will just rewrite it.comment:www.metafilter.com,2010:site.95796-3286413Fri, 17 Sep 2010 09:33:51 -0800geoff.By: Jpfedhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286427
<em>It seems very strange that this thing would start as a hype (that is, some twenty-somethings with no particular track record saying, "Hey, we're gonna do this amazing thing that everybody wants done, buy our t-shirts."), versus what usonion said ...</em>
They're trying to do something that simply cannot be done without hype. There are some mildly interesting technology issues to be worked out with Diaspora. But that's nothing compared to the tremendous network effects that Facebook enjoys.
For Diaspora to succeed- at all- it needs mindshare, even more than it needs technology.comment:www.metafilter.com,2010:site.95796-3286427Fri, 17 Sep 2010 09:41:54 -0800JpfedBy: acbhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286442
<i>So my paranoid mind says: "Facebook is probably behind this in some secret, nefarious way, a deliberate failure that will only send folks running back to them."</i>
Except that there is nowhere to run back <i>from</i>. Diaspora is not yet an online destination, but merely a chunk of code one can examine.comment:www.metafilter.com,2010:site.95796-3286442Fri, 17 Sep 2010 09:50:30 -0800acbBy: philip-randomhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286451
<em>For Diaspora to succeed- at all- it needs mindshare, even more than it needs technology.</em>
but won't the mindshare be dead in the water more or less immediately if the tech is a washout? I agree that come the right moment, Diaspora must have it's hype in place. But this hype started way before this moment. I mean, it's not as if there weren't any number of people already saying "We need an open source Facebook" when Diaspora made it's announcement. I was saying it and I have a hard time configuring my email. But for something to be genuinely open source, it needs to be, for lack of a better word, "organic". And any grower of anything will tell you, the most important part of any plant's life is the part we never see, the part that goes on underground before we ever see the first sprouts.comment:www.metafilter.com,2010:site.95796-3286451Fri, 17 Sep 2010 09:53:57 -0800philip-randomBy: Freenhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286462
geoff. Concerning Ruby: it's fast enough, if designed reasonably well. Rails as a framework wasn't designed for the usecase that twitter presented: a massive message passing and queuing system. That's why Twitter, originally built on the rails framework, had such scaling problems.
Mongodb, their datastore is plenty fast, which is really where most of the time spent processing a web request typically happens, for applications such as diaspora. In any event though, this is not the moment for speed optimizations nor security hardening, this is the moment for proving out the basic functionality. The Register can eat a whole bucket full of their least favorite genitalia for their "security concerns".comment:www.metafilter.com,2010:site.95796-3286462Fri, 17 Sep 2010 10:00:20 -0800FreenBy: feloniousmonkhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286492
As someone on hacker news said about this, they should focus on developing the HTTP protocol of social networking, not the Apache web server.
I notice this demo-centricity in my professional life, and I think it's harmed this project just as much as it harms real world projects. UI is pretty and flashy and everyone can understand it, so it's understandable that they would pursue it in the face of the frothing hordes of internet tough guys saying they'd better not let their donors down, but ultimately, if you are doing UI first, you're going to have to compromise your system in order to support it. When the server software represents such a crucial part of the product, as it does in this case, that can be a fatal mistake.comment:www.metafilter.com,2010:site.95796-3286492Fri, 17 Sep 2010 10:15:36 -0800feloniousmonkBy: Freenhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286497
Speaking of which, it looks like Diaspora is built on Rails, but these days, Rails is significantly faster, and better suited to a wider variety of use cases.comment:www.metafilter.com,2010:site.95796-3286497Fri, 17 Sep 2010 10:20:44 -0800FreenBy: thsmchnekllsfascistshttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286511
I always got diaspora confused with <a href="http://opensource.appleseedproject.org/">these guys</a>. Same concept—at least as far as I understand it.comment:www.metafilter.com,2010:site.95796-3286511Fri, 17 Sep 2010 10:26:40 -0800thsmchnekllsfascistsBy: Freenhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286527
<a href="http://github.com/diaspora/diaspora/network"> This graph</a> is essentially the reason why opensource is fantastic, and why the Register's concerns are baseless.comment:www.metafilter.com,2010:site.95796-3286527Fri, 17 Sep 2010 10:34:52 -0800FreenBy: Jpfedhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286547
<em>But for something to be genuinely open source, it needs to be, for lack of a better word, "organic". And any grower of anything will tell you, the most important part of any plant's life is the part we never see, the part that goes on underground before we ever see the first sprouts.</em>
I'm not sure how this analogy coheres or relates to Diaspora. Could you please rephrase it? With its current phrasing, it sounds like the most important part of something being genuinely open source is the part of the project before its source is made public, which I can't really understand. It may very well be that the part of a project before its source is made public is the most important determiner of its eventual quality for end-users (I don't know) but I don't know how that part could possibly be the most important part of it being genuinely open source.comment:www.metafilter.com,2010:site.95796-3286547Fri, 17 Sep 2010 10:42:51 -0800JpfedBy: blue_beetlehttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286579
Just wanted to chime in that those thinking $200k would pay for "professional" developers are dreaming. $200k will get you half a dozen part time volunteers. They would have been better off with $0. Write some protocol specs and built an OSS team.comment:www.metafilter.com,2010:site.95796-3286579Fri, 17 Sep 2010 10:57:01 -0800blue_beetleBy: echo targethttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286620
<em>But for something to be genuinely open source, it needs to be, for lack of a better word, "organic". And any grower of anything will tell you, the most important part of any plant's life is the part we never see, the part that goes on underground before we ever see the first sprouts.</em>
You have some strange ideas about open source. What you're describing there is closed source with user modifications allowed.comment:www.metafilter.com,2010:site.95796-3286620Fri, 17 Sep 2010 11:16:39 -0800echo targetBy: philip-randomhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286655
I'm talking about the kernel (the seed), not developed in total private but definitely out of the glare of the public spotlight. There is a difference between open source and "in public", isn't there?comment:www.metafilter.com,2010:site.95796-3286655Fri, 17 Sep 2010 11:30:25 -0800philip-randomBy: Candlemanhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286659
As someone who does web programming and security, this is BAD and unless they're planning on rewriting the backend from scratch, it makes it MUCH harder to ever secure.
They're making mistakes that a Jr. web programmer shouldn't and that reflects a lack of understanding that I suspect will drag down the project. You don't trust unvalidated input. EVER. You clean data that comes from the users, from their cookies, from the database, from partner websites.
Yes, bugs can be fixed, but its so very much easier if you design the system to be secure from the start rather than trying to glue it on afterwords. Picture giving a bunch of college engineers money to build a car who have never done so before. Is it easier to design a system with brakes and and airbag if you include them in the design from the get-go or if you build a chassis with an engine and steering system, turn it over to design majors to add a pretty shell, and then try to add them?comment:www.metafilter.com,2010:site.95796-3286659Fri, 17 Sep 2010 11:31:27 -0800CandlemanBy: dgranhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286746
Maybe the short term value of this release is that many people believe (implicitly or explicitly) that the web == facebook will hear that an alternative is possible. The community has effectively spoken out about the deficiencies of the system. Longer term, Diaspora must corral some of the energy into fixing/rewriting it.comment:www.metafilter.com,2010:site.95796-3286746Fri, 17 Sep 2010 12:05:23 -0800dgranBy: ph00dzhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286798
Seems pretty neat... but I've gotta be honest, I'm not sure I get it. Anyone wanna take a shot at explaining?comment:www.metafilter.com,2010:site.95796-3286798Fri, 17 Sep 2010 12:20:40 -0800ph00dzBy: Threeway Handshakehttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286841
<em>Anyone wanna take a shot at explaining?</em>
Decentralized Facebook.comment:www.metafilter.com,2010:site.95796-3286841Fri, 17 Sep 2010 12:36:15 -0800Threeway HandshakeBy: Jpfedhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286856
<em>Call me old-fashioned, but I like to see some semblance of specification or documentation (and perhaps like, community involvement?) on a system that's supposed to replace the Web.
posted by RobotVoodooPower at 10:49 AM on September 17 [+] [!]</em>
This is about replacing Facebook, not the web. I really, really hope those two aren't the same in people's minds...comment:www.metafilter.com,2010:site.95796-3286856Fri, 17 Sep 2010 12:48:21 -0800JpfedBy: The Winsome Parker Lewishttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3286927
phoodz: Facebook is a Really Big Thing. If it were a country, it would be the third-most populated in the world. There are <a href="http://www.facebook.com/press/info.php?statistics">over 500 million users, more than half of whom use the site <em>every day</em></a>. It's the <a href="http://www.alexa.com/topsites">second-most visited site on the internet</a>, after Google.
This past May, <em>Wired</em> posted <a href="http://www.wired.com/epicenter/2010/05/facebook-rogue/">an article</a> summarizing many of the most egregious problems with Facebook. The site is a hotbed of privacy outrage, where users have increasingly little control over who has access to their information (the creator of Facebook even recently admitted to calling users of the site "<a href="http://www.newyorker.com/reporting/2010/09/20/100920fa_fact_vargas?currentPage=all">dumb fucks</a>" for blindly trusting him).
Because of all the controversy, there's been a large push to create the "next Facebook." <a href="http://www.joindiaspora.com/">Diaspora</a> is probably the effort that's gotten the most press so far. Shortly after the <em>Wired</em> article I mentioned started making waves, this group of college buddies announced that they had a plan to make a social network that was like Facebook, only...<ul><li>Distributed (not controlled by any single person or company that has access to everything)</li><li>Private (users have fine control over who can see any given item they post)</li><li>Secure (all data is encrypted and locked down so no one can steal your information)</li><li>Open Source (anyone who wishes can view the code and verify nothing nefarious is happening in secret)</li></ul>A couple days ago, the Diaspora team announced that their initial work was done and put it on the web for all interested parties to try out and look for bugs. This was <em>not</em> a formal release — it's not for the general public to sign up and start using like Facebook. Instead, it's just for developers to play around and start working together to make it harder, better, faster, stronger.
The point of this FPP is, it turns out maybe there were a bunch of embarrassing mistakes the team made that reek of amateur hour. Everybody got their hopes up that this was going to be secure by design (or at least showing promise for real security), but what's been released has vulnerabilities you could drive the Titanic through. Simple stuff that real programmers shouldn't have been able to overlook.
It's not the end of the road for Diaspora though. There's still lots of hype and a community of open-source programmers tackling those vulnerabilities as fast as they can. Now that the weak patches have been identified, there's hope and plenty of time to get them fixed up before actually launching anything for mass consumption. Our faith has been shaken a bit by the abilities of the core Diaspora team, but that's not a death sentence for the project. It's definitely worth keeping an eye on still, as it continues to evolve.comment:www.metafilter.com,2010:site.95796-3286927Fri, 17 Sep 2010 13:18:27 -0800The Winsome Parker LewisBy: egypturnashhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3287023
The big, hard problem of writing Diaspora is not building the front-end. It is not even writing something that's inherently completely secure against all attacks.
It is solving the problem that the name of the project references: <em>spreading out everywhere instead of relying on one central point</em>.
Now, Diaspora is far from the first set of people to tackle this. I know that's one of the things Brad Fitzpatrick (creator of LJ) has been working on since going to Google, for instance. In other discussion of Diaspora I saw someone linking to four or five projects I'd never heard of that aimed in pretty much the same thing.
And ideally, <em>that's</em> what this pre-alpha should be demonstrating - I don't care if it's insecure, I care if it's demonstrating that <em>I could set up a Diaspora node, friend someone running their own node, and have his updates seamlessly show up when I look at my node</em>. In <em>seconds</em>. And when our mutual friend who's less technical looks at their account on the larger node being run by the Diaspora kids, or by their ISP, or the one that came installed on their smartphone, or whatever. (Obviously those last two are in the future where Diaspora actually works and takes over from Facebook.)
Does it do this? I'm not sure, I haven't seen many people addressing this instead of the places there's a horrible hack-job hopefully marked "oh god this is a mess fix this later". And my own attempt to set up a Diaspora node yesterday ended after it trashed its database harder than I was willing to figure out how to recover from. I might try again this weekend, might even set up a virtual machine somewhere in the cloud that I can run a Diaspora node on for a few days to see if it does its Biggest Problem at all yet, then flush, because, well, security holes.comment:www.metafilter.com,2010:site.95796-3287023Fri, 17 Sep 2010 14:14:15 -0800egypturnashBy: ph00dzhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3287030
Yeah... see... "decentralized facebook" sounds... well... like something that would pop out of one of those random buzzword generator sites.
So, therein lies my question -- how the heck will a "distributed facebook" solve problems? Am I wrong to think the whole crux of facebook's success lies in its non-distributed nature, everyone is on one platform which is reliably accessible from any other part?comment:www.metafilter.com,2010:site.95796-3287030Fri, 17 Sep 2010 14:18:14 -0800ph00dzBy: adipocerehttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3287081
Just reviewing some of the comments I saw yesterday and digging about a bit, it looks like they have made two big mistakes, in series.
First, and most serious, is that they are not concentrating on the protocol to the degree it should be. The protocol is everything here. I cannot emphasize that enough. Before a single line of code is written a protocol ought to have been developed and then had a lot of smart people try to blow it up. Hell, start with some dumb people and then work your way up to asking for help from smart people. The entire project is about communication. If your protocol sucks, you will pay for it <em>forever</em>. This is why spam is an emergent property of SMTP.
Version 0.0.1 of the protocol ought to be on the website for people to casually examine and take swipes at. Eventually, you take $50,000 and you ask Bruce Schneier to try to blow it apart. Maybe spread another $50,000 around at other security people.
The second mistake is the code, which sounds like it contains a metric copulationton of dependencies. And not rock solid OS-level dependencies. I'm talking about packages out the wazoo. I'm not sure how it works but one of my personal metrics in examining new open source projects for investigation includes the number of dependencies involved. If you need Apache and mysql, no biggie. If you require a very specific version of Perl and dozens of specific packages and then some Tomcat oh and you have to install this other thing ... it isn't looking good. It's not a pure lock but the more components you must install that are not in the default, the more fragile something tends to be and the harder it is to get it running in the first place. If the continue to ignore the protocol, then the install must be fast and not prone to blowing up or failing to restart.
This just is not looking great so far, which is a shame, because I want something to make Facebook at least work a bit harder, if not die.comment:www.metafilter.com,2010:site.95796-3287081Fri, 17 Sep 2010 14:48:14 -0800adipocereBy: Jpfedhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3287110
<em>Am I wrong to think the whole crux of facebook's success lies in its non-distributed nature, everyone is on one platform which is reliably accessible from any other part?</em>
Only a <em>little</em> wrong. Interoperability (I can see my friend's info, no matter where I am and no matter where they are) is not the same as having a single owner/controller of the data. You might wonder "how could interoperability be achieved (seamlessly and securely) without having a single owner/controller of the data?", and you'd be right to- it's not trivial. But it would be <strong>really great</strong> if it were merely nontrivial rather than impossible, because if we can have separate datacenters that still interoperate, then if one of them does something that pisses you off, you can migrate your data to a different datacenter.comment:www.metafilter.com,2010:site.95796-3287110Fri, 17 Sep 2010 15:07:11 -0800JpfedBy: RikiTikiTavihttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3287116
Yes, yes, it's a developer release.
Which a good number of people are going to download, set up, invite some slightly-less-technical friends, who will invite their friends, and they'll all put private information in there, and...so on. Viral spread can be not so good too.
And then it gets a bad name, which is a pity. If it raises security awareness that'd be some good of it, I guess.comment:www.metafilter.com,2010:site.95796-3287116Fri, 17 Sep 2010 15:11:02 -0800RikiTikiTaviBy: wemayfreezehttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3287240
At this point what these kids need more than anything are some strong mentors who can help guide the project. They got 200K because everyone wants this to work. They have a lot on their side, but experience ain't one of them—it would be a shame to see all that hope (expressed through ca$h) come to naught just because they're young.comment:www.metafilter.com,2010:site.95796-3287240Fri, 17 Sep 2010 16:57:59 -0800wemayfreezeBy: heathkithttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3287547
I was initially a bit upset when Diaspora got so much attention when other groups have been laboring in relative anonymity for so long. It was hyped out of all proportion, so it was inevitable the public would be a little disappointed with the release. Still, good on them for making it to the end, I look forward to browsing the source.
Also, about it being written in Rails in particular - the hard part of software is coming up with the model for your problem. If you do that well, it doesn't matter what language or technology stack you're in - you can always port it to something else.
Other open-source social efforts include <a href="http://onesocialweb.org/about.html">One Social Web</a> and <a href="http://shindig.apache.org/overview.html">Apache Shindig</a>.comment:www.metafilter.com,2010:site.95796-3287547Fri, 17 Sep 2010 21:52:55 -0800heathkitBy: feloniousmonkhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3287568
I think the key thing that's missing from the explanation is what the "distributed" part actually means. Essentially they want Diaspora to work like Wordpress or Moveable Type. You can install it on your server and have your own social network, and like Wordpress publishes your blog in RSS that a bunch of other clients understand, Diaspora aims to make parts of your social network available to other Diaspora servers. Presumably there will also be the Diaspora equivalent of wordpress.com, which is kind of contrary to the spirit of the thing, but hey, capitalism.comment:www.metafilter.com,2010:site.95796-3287568Fri, 17 Sep 2010 22:26:48 -0800feloniousmonkBy: unSanehttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3287579
<a href="http://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3287081">adipocere</a> totally has it. The dependencies were what stopped me busting out Xcode and building it. I looked at them and thought -- fuck that. But the much bigger point is the protocol. At some point a truly open social protocol will emerge, and Diaspora will have played its part -- even if it's only a bit part -- in defining that, if only by omission. The notion that your information is a node which you control in every respect, and that a network of these nodes is a defacto social network which communicates via a set of open protocols, is a very powerful one and will outlast Diaspora.comment:www.metafilter.com,2010:site.95796-3287579Fri, 17 Sep 2010 22:37:37 -0800unSaneBy: philip-randomhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3287599
<strong>At some point a truly open social protocol will emerge, and Diaspora will have played its part -- even if it's only a bit part -- in defining that, if only by omission. The notion that your information is a node which you control in every respect, and that a network of these nodes is a defacto social network which communicates via a set of open protocols, is a very powerful one and will outlast Diaspora.</strong>
I agree.comment:www.metafilter.com,2010:site.95796-3287599Fri, 17 Sep 2010 23:03:28 -0800philip-randomBy: heathkithttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3287620
Ok, and just because I spent all night reading up on this stuff, here's my opinion of the competition
<b><a href="http://appleseedproject.org/">AppleSeed</a></b> - Very similar project to Diaspora, but started in 2005, I think by a lone coder. It's strikes me as a php-based content management system that can link with other nodes to form a network. Unfortunately, documentation is sparse and the <a href="">Demo Site</a> has almost nothing on it, so I have no idea what features it has. Doesn't seem to be going anywhere.
<b>Apache Shingdig</b> - The reference implementation of Google's <a href="http://www.opensocial.org/">OpenSocial</a> protocols. This isn't social networking software like Appleseed or Diaspora. Rather, it's a platform and set of standards that operators of social networks can use so that the same app can run on multiple platforms. So, for example, the same clone of Farmville could run on Orkut and Myspace. Interesting for application developers, but not really to the end user.
<b><a href="http://onesocialweb.org/users.html">OneSocialWeb</a></b> - I hate the name, but this seems like the closest thing to implementing Diaspora's goals. It was started by Vodaphone's R&amp;D group. They built the platform on top of XMPP (an open source IM protocol), which I think is an excellent choice. They already have a server, web client, and android client available <a href="http://onesocialweb.org/developers-downloads.html">here</a>.
Of these, I think OSW is the most compelling (though i hate the name). I really wish the Diaspora guys had spent their time, money, and visibility working on an awesome web front end for OSW and pushing it along. It's possible that Diaspora could grow into a Facebook killer, but I doubt it. I'd strongly encourage any developers interested in Diaspora to take a look at <a href="http://github.com/onesocialweb">OneSocialWeb's github</a>.comment:www.metafilter.com,2010:site.95796-3287620Fri, 17 Sep 2010 23:54:38 -0800heathkitBy: Artful Codgerhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3287754
to delmoi and the others saying "well, this is how OSS works":
Open-source development does NOT necessarily mean doing your laundry in public. It's not unreasonable to expect a certain level of professionalism in what's designated a "release", especially something that can end up in the public's hands.
Likewise, unless there's some massive pressure to show something/anything right NOW, there's no excuse to release something riddled with n00b mistakes or a totally rough UI. There are tens of thousands of garden-variety programmers around (like me) who have already solved all the stupid little mistakes like input validation a thousand times over. It shouldn't be that hard to find some mentors, or recruit a UI team to handle that part.
I also agree with adipocere - the magic in diaspora is going to be defining the protocol and coding up the engine that implements it.
I'm less worried about dependency-hell at this early stage It does suggest something slapped together, but it's OK at the proof-of-concept stage, as long as it gets cleaned up immediately after success as a proof-of-concept.comment:www.metafilter.com,2010:site.95796-3287754Sat, 18 Sep 2010 08:06:19 -0800Artful CodgerBy: lupus_yonderboyhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3287904
adipocere speaks to my heart here.
The whole key to this is the protocol. In some sense, it's irrelevant if their first client is slow and insecure if the underlying protocol is strong, because then people can write better client/servers. It's a shame that they apparently haven't hit the target on that one.
I hadn't realized that they simply aren't sanitizing their inputs at all, rather than doing it badly. That's a real shame.
Even as pre-alpha, they should pass everything through a sanitizer that, right now, does nothing at all - how long would that take to write, an evening if that? As people need more out of it, they'll add more "do nothing" code to it - then later they can write the real part. As it is, every line of code written that gets any variable from from user adds to their <a href="http://en.wikipedia.org/wiki/Technical_debt">technical debt</a> and increases the later chore they have.
And those dependencies. :-( Terrible, terrible idea. Each new package means some amount of extra work on every single person downloading the system, and some fraction of those attempts to install that package will fail. Getting rid of dependencies can be easy, though, if you're careful to design it that way in advance.
On rethinking this, I also think the choice of Ruby is poor and shows a certain blindness. If I were an expert Ruby programmer and writing software for my company, great! But if this open source program is to fly, they must inspire other developers to work on it - so the question of how many developers program in that language is quite relevant.
Now, using a high-quality modern language is of course even more important - or they'd be doing this in PHP.
But frankly, they should be doing this in Python - it's not just that there are two to four times as many Python programmers as Ruby programmers, but that there's strong support for Python "out of the box" on Windows, Mac and *nixen, it's a mature language.
Both Python and Ruby are advanced, modern languages, as a pure language you could make convincing arguments for either of them.
Yet I still think that this is how open source should work. They haven't put a lot of their lives into it yet and a lot of smart people can immediately tell them where they're going wrong. If we scotch it early, then great, these developers are released to the rest of the world.comment:www.metafilter.com,2010:site.95796-3287904Sat, 18 Sep 2010 11:21:49 -0800lupus_yonderboyBy: The Winsome Parker Lewishttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3294825
I just found <a href="http://www.kalzumeus.com/2010/09/22/security-lessons-learned-from-the-diaspora-launch/">this follow-up</a> from yesterday, which goes into more detail than the Register article originally posted. It's rather scathing: "The team is manifestly out of their depth with regards to web application security, and it is almost certainly impossible for them to gather the required expertise and still hit their timetable for public release in a month." This thread's about done, but I'll just leave this here for posterity.comment:www.metafilter.com,2010:site.95796-3294825Thu, 23 Sep 2010 09:26:03 -0800The Winsome Parker LewisBy: rodgerdhttp://www.metafilter.com/95796/Typical-prealpha-bugginess-or-embarrassing-beginner-mistakes#3299717
I just came here to post the followup, TWPL; it's a pretty effective rebuttal to all the hope-over-reality posts slamming The Register for being big mean poopy heads. Thos a breathtaking, funamental problems at the base of the code, and no amount of ad-hom or wishful thinking will make them go away.
A shame, really.comment:www.metafilter.com,2010:site.95796-3299717Mon, 27 Sep 2010 02:11:13 -0800rodgerd